diff options
author | Robert Speicher <robert@gitlab.com> | 2016-05-07 22:08:46 +0300 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2016-05-07 22:08:46 +0300 |
commit | 4a844b73ff2daf6b08dc36a8c7117df753b8bdd7 (patch) | |
tree | 29a415bf256895bd84d4a9bb26dc3702c5aea9f5 /app | |
parent | f3578baa83ca8d576f4fe1bef50ebae61615768e (diff) | |
parent | 21d89d0286e385d6d0a4debdbf7c801939c3e279 (diff) |
Merge branch 'fix-sanitize-svg' into 'master'
Update SVG sanitizer to conform to SVG 1.1
Original SVG sanitizer would strip out necessary elements and attributes.
Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate to handle case-sensitive SVG attributes since they parse documents as HTML instead of XML, which causes all SVG attribute names (e.g. `viewBox`) to be downcased.
* SVG element list: https://www.w3.org/TR/SVG/eltindex.html
* SVG attribute list: https://www.w3.org/TR/SVG/attindex.html
Closes #14555
See merge request !3401
Diffstat (limited to 'app')
-rw-r--r-- | app/helpers/blob_helper.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 474c6f27374..93241b3afb7 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -131,7 +131,7 @@ module BlobHelper # elements and attributes. Note that this whitelist is by no means complete # and may omit some elements. def sanitize_svg(blob) - blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml + blob.data = Gitlab::Sanitizers::SVG.clean(blob.data) blob end |